.env.sample

@@ -19,8 +19,14 @@ COMPOSE_FILE="compose.yml"
 # General settings                                                  #
 #####################################################################
 
-## Host-mode networking
-#COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"
+## Ingress-mode port publishing for ports 80 and 443
+##
+## /!\ Using this prevents the use of any compose override adding
+##     published ports to the traefik_app service (almost all of them)
+##     and it prevents the use of IPv6 for ingress traffic.
+##     Do not uncomment unless you know exactly what you are doing
+##
+#COMPOSE_FILE="$COMPOSE_FILE:compose.no-host.yml"
 
 ## "Headless mode" (no domain configured)
 #COMPOSE_FILE="$COMPOSE_FILE:compose.headless.yml"

compose.compy.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - COMPY_ENABLED
     ports:
-      - "9999:9999"
+      - target: 9999
+        published: 9999
+        protocol: tcp
+        mode: host

compose.foodsoft.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - FOODSOFT_SMTP_ENABLED
     ports:
-      - "2525:2525"
+      - target: 2525
+        published: 2525
+        protocol: tcp
+        mode: host

compose.gitea.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - GITEA_SSH_ENABLED
     ports:
-      - "2222:2222"
+      - target: 2222
+        published: 2222
+        protocol: tcp
+        mode: host

compose.host.yml

@@ -1,15 +1,2 @@
 ---
 version: "3.8"
-
-services:
-  app:
-    deploy:
-      update_config:
-        order: stop-first
-    ports:
-      - target: 80
-        published: 80
-        mode: host
-      - target: 443
-        published: 443
-        mode: host

compose.irc.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - IRC_ENABLED
     ports:
-      - "6697:6697"
+      - target: 6697
+        published: 6697
+        protocol: tcp
+        mode: host

compose.matrix.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - MATRIX_FEDERATION_ENABLED
     ports:
-      - "8448:8448"
+      - target: 8448
+        published: 8448
+        protocol: tcp
+        mode: host

compose.minio.yml

@@ -6,4 +6,7 @@ services:
     environment:
       - MINIO_CONSOLE_ENABLED
     ports:
-      - "9001:9001"
+      - target: 9001
+        published: 9001
+        protocol: tcp
+        mode: host

compose.mumble.yml

@@ -4,6 +4,11 @@ services:
     environment:
       - MUMBLE_ENABLED
     ports:
-      - "64738:64738/udp"
-      # note (3wc): see https://github.com/docker/compose/issues/7627
-      - "64737-64739:64737-64739/tcp"
+      - target: 64738
+        published: 64738
+        protocol: udp
+        mode: host
+      - target: 64738
+        published: 64738
+        protocol: tcp
+        mode: host

compose.nextcloud-talk-hpb.yml

@@ -4,5 +4,11 @@ services:
     environment:
       - NEXTCLOUD_TALK_HPB_ENABLED
     ports:
-      - "3478:3478/udp"
-      - "3478:3478/tcp"
+      - target: 3478
+        published: 3478
+        protocol: udp
+        mode: host
+      - target: 3478
+        published: 3478
+        protocol: tcp
+        mode: host

compose.no-host.yml

@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    ports:
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: ingress
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: ingress
+    deploy:
+      endpoint_mode: vip

compose.peertube.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - PEERTUBE_RTMP_ENABLED
     ports:
-      - "1935:1935"
+      - target: 1935
+        published: 1935
+        protocol: tcp
+        mode: host

compose.smtp.yml

@@ -6,4 +6,7 @@ services:
     environment:
       - SMTP_ENABLED
     ports:
-      - "587:587"
+      - target: 587
+        published: 587
+        protocol: tcp
+        mode: host

compose.ssb.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - SSB_MUXRPC_ENABLED
     ports:
-      - "8008:8008"
+      - target: 8008
+        published: 8008
+        protocol: tcp
+        mode: host

compose.web-alt.yml

@@ -4,4 +4,7 @@ services:
     environment:
       - WEB_ALT_ENABLED
     ports:
-      - "8000:8000"
+      - target: 8000
+        published: 8000
+        protocol: tcp
+        mode: host

compose.yml

@@ -8,8 +8,14 @@ services:
     # Doing so could break new installs with port conflicts. Please use
     # the usual `compose.$app.yml` approach for any additional ports
     ports:
-      - "80:80"
-      - "443:443"
+      - target: 80
+        published: 80
+        protocol: tcp
+        mode: host
+      - target: 443
+        published: 443
+        protocol: tcp
+        mode: host
     volumes:
       - "letsencrypt:/etc/letsencrypt"
       - "file-providers:/etc/traefik/file-providers"
@@ -37,9 +43,10 @@ services:
     command: traefik
     entrypoint: /custom-entrypoint.sh
     deploy:
+      endpoint_mode: dnsrr
       update_config:
         failure_action: rollback
-        order: start-first
+        order: stop-first
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=web"

release/next

@@ -0,0 +1,11 @@
+Short summary of the latest changes:
+
+ * Exposed ports have been switched to host-mode port publishing by default
+   This adds support for IPv6 ingress, which means that after deploying this
+   change, DNS AAAA records can be made to point to the relevant IPv6
+   address and Traefik will handle public IPv6 ingress traffic (including ACME
+   HTTP-01 challenges)
+
+   /!\ This is a breaking change. It is still possible to revert ports 80 and
+       443 to ingress-mode (the previous default) but keep in mind that there
+       is no longer an easy way to publish additional ports in ingress mode.